Join Log in
Score:0
Lacrymae avatar Server

Remote Group Policy Update failed (Access Denied) for Domain Admin

mk flag
Lacrymae

My first question in ServerFault heya :)

In our domain manage all server and client machines with Microsoft Active Directory. We have 13 Vm Server. Domain\administrator user is Domain admin. I use it in domain everywhere (IIS web services, Remote Logins, Task Schedule, Veeam Backups etc.) without any permission issue.

Today i config a policy under DC and assign it to Servers OU which all servers in it. And try Right Click on this OU, select Group Policy Update. 9 are Failed 4 are Succeeded. I attach the results.

4 Succeeded Servers

1 Windows Server 2012 R2

2 Windows Server 2008 R2 Standart

1 Windows 10 Pro 21H1

9 Failed Servers

6 Windows Server 2016

2 Windows Server 2012 R2

1 Windows 10 Pro 21H1

Group Policy Update Results

I search over internet and try many solutions but no way. I compare one of succeeded and failed machines firewall rules, Domain\administrator user rights, some registry settings etc. and they are same.

Also Invoke-GPUpdate -computer SERVERNAMEHERE -force command excuted from DC return below error;

Invoke-GPUpdate : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
Invoke-GPUpdate -computer SERVERNAMEHERE -force

CategoryInfo          : NotSpecified: (:) [Invoke-GPUpdate], UnauthorizedAccessException
FullyQualifiedErrorId : Unspecified,Microsoft.GroupPolicy.Commands.InvokeGPUpdateCommand

After executed above GpUpdate command i go to target server and check the Windows Security Logs in Event Viewer and see below entries;

Special privileges assigned to new logon.

Subject:
    Security ID:        DOMAIN\administrator
    Account Name:       administrator
    Account Domain:     DOMAIN
    Logon ID:       0x26A9C63

Privileges:     SeLoadDriverPrivilege
            SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege
            SeDebugPrivilege
            SeSystemEnvironmentPrivilege
            SeImpersonatePrivilege
            SeDelegateSessionUserImpersonatePrivilege

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Information:
    Logon Type:     3
    Restricted Admin Mode:  -
    Virtual Account:        No
    Elevated Token:     Yes

Impersonation Level:        Impersonation

New Logon:
    Security ID:        DOMAIN\administrator
    Account Name:       administrator
    Account Domain:     DOMAIN
    Logon ID:       0x26A9C63
    Linked Logon ID:        0x0
    Network Account Name:   -
    Network Account Domain: -
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   SERVER-DCHERE
    Source Network Address: DC.IP.H.ERE
    Source Port:        50691

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   NTLM V2
    Key Length:     128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

So I am stuck at this point. Succesfully remote logon, 4 machine success remote excution with same user mix my brain :( Any idea appreciated. Thanks in advance.

--- EDIT 1 ---

I enable Group Policy debug logging on the failed machine. Than Execute Invoke-GPUpdate -computer SERVERNAMEHERE -force command from DC. Below lines created in target machine %WINDIR%\debug\UserMode gpsvc.log;

GPSVC(13b4.24c) 16:24:37:497 CGPNotify::UnregisterNotification: Entering with event 000000000000012C

GPSVC(13b4.24c) 16:24:37:497 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0

GPSVC(2420.f04) 16:24:37:497 CGPNotify::UnregisterNotification: Entering with event 0000000000000128

GPSVC(2420.f04) 16:24:37:497 CGPNotify::UnregisterNotification: Exiting with dwStatus = 0x0

Also i try second time but no logs genereated. These logs not belongs to my remote gpupdate execution i think.

140
0 + 6
cn flag
Greg Askew
Tell us about the other tests you have performed to the failed machine from the machine where you are performing the test. `winrm id -r:machinename`
0
Reply
Lacrymae avatar
mk flag
Lacrymae
Also i have checked admin rights wit his command from DC `\\ComputerName\admin$` and folder opened directly. Not ask any credentials.
0
Reply
Lacrymae avatar
mk flag
Lacrymae
`winrm id -r:machinename` result is `IdentifyResponse ProtocolVersion = http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd ProductVendor = Microsoft Corporation ProductVersion = OS: 10.0.14393 SP: 0.0 Stack: 3.0 SecurityProfiles SecurityProfileName = http://schemas.dmtf.org/wbem/wsman/1/wsman/secprofile/http/spnego-kerberos`
0
Reply
cn flag
Greg Askew
You will need to check the Microsoft-Windows-GroupPolicy/Operational event log. Also enable Group Policy debug logging on the failed machine. https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/a-treatise-on-group-policy-troubleshooting-8211-now-with-gpsvc/ba-p/400304
0
Reply
Lacrymae avatar
mk flag
Lacrymae
@GregAskew i enabled logging and catch some lines. But somethings wrong with my debug i think. I added debug log outputs as EDIT 1 to main question.
0
Reply
us flag
twconnell
According to best practices: Personnel with responsibilities for managing both domain controllers and enterprise servers should be given separate accounts. You should look into, and implement a tiered administration model.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.